Skip to main content

Cyber Risk

Cyber Risk is defined as the potential threats occurring from failures in digital technologies, electronic systems, technological networks, devices and media. Cyber threats include:

  • Hacker attacks
  • Data breaches
  • Virus transmission
  • Cyber extortion
  • Network downtime or unavailability
  • Media liability
  • Human error (also in operational risk)

The Institute of Risk Management (IRM) defines Cyber Risk as:

The risks and opportunities which digital technologies, devices and media bring us are manifest. Cyber risk is never a matter purely for the IT team, although they clearly play a vital role. An organisation’s risk management function need a thorough understanding of the constantly evolving risks as well as the practical tools and techniques available to address them.

“Cyber risk” means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.

With the increasing reliance on the Internet and cloud computing, firms are more and more attentive and serious about Cyber Risk, hiring dedicated professionals and including Cyber Risk as one of the top risks currently discussed at board meetings. Materialising cyber threats may cause financial institutions to face monetary and reputational losses which can ultimately put them out of business.

Top Targets

Over the past few years, large U.S. banks have been subjected to a barrage of cyberattacks, which have been extremely costly. According to reports, Citigroup, Bank of America and Wells Fargo showed a 0.4 percent to 0.9 percent drop in their stock prices as a result of attacks, while JPMorgan Chase saw its share price fall by 1 percent after a security breach.

In the JPMorgan Chase breach, names, addresses, phone numbers, email addresses and internal information related to 83 million customers were stolen by attackers. The company reported it had not seen any fraud related to the incident, though the attack — in which cybercriminals were able to gain a high level of system privileges on more than 90 servers — went unnoticed for some two months.

Already spending $250 million per year on digital security, JPMorgan Chase has pledged to double that spending over the next year as a direct result of the security breach and has increased the number of security professionals it employs to 1,000. It has also reviewed its security procedures, including access controls, to strictly limit privileged user access in order to avoid “catastrophic technical or reputational damage.” USA TODAY reports that Bank of America is also spending hundreds of millions of dollars on security, and that amount continues to grow.

Source: Security Intelligence (30-Apr-2015)

Recent Attacks on Banks

According to KPMG, cyber security is the most prevalent IT risk for banks. In a KPMG study from September 2016, cyber security issues rank highest among risks and facing G-SIFIs. The big question is how should banks handle this.

Recent cyber attacks include:

  • Ecuadorian Banco del Austro (BDA), in January 2015, causing financial losses of USD 12 million
  • Vietnam’s Tien Phong Bank (TP Bank), in December 2015, succeeded in halting a cyber-attack in which hackers attempted to use fraudulent SWIFT messages to transfer more than EUR 1 million from TP Bank
  • In February 2016, a fraudulent transfer of USD 850 million from Bangladesh Central Bank was blocked after SWIFT detected a spelling error in the name of the recipient. Bangladesh Central Bank was not able to prevent the entire transfer and the hackers successfully transferred USD 101 million (of the USD 850 million), of which USD 20 million was recovered by the central bank after identifying the attack.

In these incidents, all three banks were targeted using similar hacking techniques: obtaining valid credentials of SWIFT operators unlawfully then initiating transactions by sending fraudulent SWIFT messages on behalf of these operators. With this information, the banking community should be able to prevent further attacks by uncovering new unforeseen attack patterns.

Among industry participants, including supervisors, banks, and cyber risk specialists, it is agreed that the following key initiatives could improve cyber resilience in the Eurozone:

  • Real-time alert database
  • Cyber Stress testing
  • Guidelines and best practices

Source: KPMG

Our recent articles about Cyber Risk